lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 2 Apr 2009 07:57:24 +0100
From: Sumit Siddharth <sumit.siddharth@...il.com>
To: Dragos Ruiu <dr@....net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: EUSecWest 2009 CFP (May 27/28,
	Deadline April 7 	2009)

HI Drago,
i didn't get a respose for my earlier mails. I would like to submit my talk
"Recent Advancements in SQL Injection Injection Exploitation Technique". I
gave this talk earlier at OWASP Appsec Au 2009, where it was very well
received. The talk has a number of demos which makes it very enjoyable.
Lemme know if you wish to include this. I am based in London.Here is the
full agenda:

Abstract

 This talk will cover different aspects of SQL Injection techniques and will
highlight why every SQL Injection is unique. Starting with the very basics
the talk will get more and more complex and will discuss exploiting SQL
injections which seem to be un-exploitable. Numerous examples will be
presented when the SQL Injection vulnerability will go undetected even by
leading scanning software costing $$. A very common vulnerability will be
shown along with a google dork which will return several "top" websites
vulnerable. Further, a new technique of exploiting SQL Injection in Oracle
to hack internal networks will be discussed. The Talk will also discuss a
number of SQL injection tools and will prove why tools can still not replace
a human pen tester.

 Outline:-

 *What is SQL Injections (yawn...)
*Type Of SQL Injections (yawn...)
*Identifying SQL injections (Identification.......time to wake up..)
*xp_cmdshell is disabled, wtf....(exploitation)
*whats xp_cmdshell alternative on mysql and oracle..(Exploitation)
*Blind SQL Injections (exploitation/identification)
*Deep Blind Injection (exploitation/identification)
*Time Delay Functions & beyond (exploitation)
* UTF7 encoding, magic quotes etc.
*Avoiding Time Delay Functions (exploitation)
*Convert Time Dealy to blind Injections (Exploitation)
* Injection in order by,group by and limit clause (Exploitation
.&.Surprise!!)
*Out Of Band Channels (Exploitation)
*Using Oracle's SQL Injection(UTL_HTTP) to own internal SQL server (
Exploitation)
*Exploiting Internal hidden networks (Exploitation)
* Can your tool detect these

 Why should you include this talk:-
 1. As more and more injection tools are available in the market, this talk
will help the audience choose the right tool for the right injection.

 2. The oracle's utl_http method to sploit internal networks is cutting edge
and no-one has ever talked about it, in the context i will talk.

 3. Its fun, everyone loves sql injection, and its not a talk, its all demo
and people will love to see the oracle sql injection returning a shell from
a ms-sql server.


 About me:-
I graduated from IIT Kanpur in 2005, and after working for NII Consulting
for about a year i have shifted to U.K, where i work for Portcullis Computer
Security. I have been a speaker at many conferences and my articles and
advisories are available on various security websites.I also own the website
www.notsosecure.com .

 /* I will probably rewrite the bio later */

 Thanks
Sid

On Wed, Apr 1, 2009 at 10:29 PM, Dragos Ruiu <dr@....net> wrote:

> Call For Papers
>
>    The EUSecWest 2009 CFP is now open.
>
>    Deadline is April 7th, 2009.
>
> EUSecWest CALL FOR PAPERS
>
>    LONDON, U.K. -- The third annual EUSecWest applied
>    technical security conference - where the eminent figures
>    in the international security industry will get together
>    share best practices and technology - will be held in
>    downtown London at the Sound Club in Leicester Square
>    on May 27/28, 2009. The most significant new discoveries
>    about computer network hack attacks and defenses,
>    commercial security solutions, and pragmatic real world
>    security experience will be presented in a series of
>    informative tutorials.
>
>    The EUSecWest meeting provides international researchers
>    a relaxed, comfortable environment to learn from
>    informative tutorials on key developments in security
>    technology, and collaborate and socialize with their peers
>    in one of the world's most most important technology
>    hubs and scenic cities. The timing of the conference
>    allows international travelers to travel to Berlin for
>    FX's Ph-Neutral on the weekend, and Rennes the
>    following week for SSTIC.
>
>    We would like to announce the opportunity to submit
>    papers, and/or lightning talk proposals for selection by
>    the EUSecWest technical review committee. This year we
>    will be doing one hour talks, and some shorter talk
>    sessions.
>
>    Please make your paper proposal submissions before
>    April 7th, 2009.
>
>    Some invited papers have been confirmed, but a limited
>    number of speaking slots are still available. The
>    conference is responsible for travel and accommodations for
>    the speaker (one speaker airfare and one room). If you
>    have a proposal for a tutorial session then please email
>    a synopsis of the material and your biography, papers
>    and, speaking background to secwest09 [at] eusecwest.com .
>    Only slides will be needed for the paper deadline, full text
>    does not have to be submitted - but will be accepted if
>    available.
>
>    The EUSecWest 2009 conference consists of tutorials on
>    technical details about current issues, innovative
>    techniques and best practices in the information security
>    realm. The audiences are a multi-national mix of
>    professionals involved on a daily basis with security
>    work: security product vendors, programmers, security
>    officers, and network administrators. We give preference
>    to technical details and new education for a technical
>    audience.
>
>    The conference itself is a single track series of
>    presentations in a lecture theater environment. The
>    presentations offer speakers the opportunity to showcase
>    on-going research and collaborate with peers while
>    educating and highlighting advancements in security
>    products and techniques. The focus is on innovation,
>    tutorials, and education instead of product pitches. Some
>    commercial content is tolerated, but it needs to be backed
>    up by a technical presenter - either giving a valuable
>    tutorial and best practices instruction or detailing
>    significant new technology in the products.
>
>    Paper proposals should consist of the following
>    information:
>     1. Presenter, and geographical location (country of
>        origin/passport) and contact info (e-mail, postal
>        address, phone, fax).
>     2. Employer and/or affiliations.
>     3. Brief biography, list of publications and papers.
>     4. Any significant presentation and educational
>        experience/background.
>     5. Topic synopsis, Proposed paper title, and a one
>        paragraph description.
>     6. Reason why this material is innovative or significant
>        or an important tutorial.
>     7. Optionally, any samples of prepared material or
>        outlines ready.
>     8. Will you have full text available or only slides?
>     9. Language of preference for submission.
>    10. Please list any other publications or conferences
>        where this material has been or will be
>        published/submitted.
>
>    Please include the plain text version of this information
>    in your email as well as any file, pdf, sxw, ppt, or html
>    attachments.
>
>    Please forward the above information to secwest09 [at]
>    eusecwest.com to be considered for placement on the
>    speaker roster, or have your lightning talk scheduled. If
>    you contact anyone else at our organization please ensure
>    you also cc the submission address with your proposal or
>    it may be omitted from the review process.
>
>
> cheers,
> --dr
>
> --
> World Security Pros. Cutting Edge Training, Tools, and Techniques
> London, U.K. May 27/28 2009  http://eusecwest.com
> pgpkey http://dragos.com/ kyxpgp
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Sumit Siddharth

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists